ECHO-8d11-e996-aa3c

See a problem?
Import Source
https://advisory.echohq.com/osv/ECHO-8d11-e996-aa3c.json
JSON Data
https://api.osv.dev/v1/vulns/ECHO-8d11-e996-aa3c
Upstream
Withdrawn
2026-07-13T15:45:01.813Z
Published
2026-06-30T14:02:16.425Z
Modified
2026-07-13T16:30:03.896979122Z
Summary
Reported (VulDB) stack-based buffer overflow in llvm::StringMap::insert in lib/IR/ValueSymbolTable.cpp (ValueSymbolTable module), reachable only by locally feeding crafted IR/input to LLVM tooling. NVD carries the "disputed" tag and the record notes "The presence of this vulnerability remains uncertain". The LLVM project explains that the reported behavior is outside its documented security scope and is therefore not considered a security vulnerability (LLVM libraries are not a security boundary for untrusted input). Reported against llvm-project 22.1.x; the shipped toolchain is 19.1.7. Debian classifies it as an unimportant issue. No code change required. https://security-tracker.debian.org/tracker/CVE-2026-13573
Details
References

Affected packages

Echo / llvm-toolchain-19

Package

Name
llvm-toolchain-19
Purl
pkg:deb/echo/llvm-toolchain-19

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:19.1.7-3

Database specific

source
"https://advisory.echohq.com/osv/ECHO-8d11-e996-aa3c.json"